Product SiteDocumentation Site

8.9. 其他配置:时间同步、日志记录、共享访问…

本节列出的细目对希望精通 GNU/Linux 系统配置极有帮助。这里只列出简要的内容,详情仍需参阅文档。

8.9.1. 时区

The timezone, configured during initial installation, is a configuration item for the tzdata package. To modify it, use the dpkg-reconfigure tzdata command, which allows you to choose the timezone to be used in an interactive manner. Its configuration is stored in the /etc/timezone file. Additionally, /etc/localtime becomes a symbolic link to the corresponding file in the /usr/share/zoneinfo; the file that contains the rules governing the dates where daylight saving time (DST) is active, for countries that use it.
暂时变更时区,可使用 TZ 环境变量,它的优先次序在缺省的配置档之前:
$ date
Thu Sep  2 22:29:48 CEST 2021
$ TZ="Pacific/Honolulu" date
Thu 02 Sep 2021 10:31:01 AM HST

8.9.2. 时间同步

时间同步,在单机时代是多余,但在网络时代却很重要。用户无权修改日期与时间,所以需要精准的时间以免混乱。尤有甚者,网络上的电脑时间同步后,有助于安排社区工作者透过全球网络互联。受到攻击时,容易依序恢复原来的运作。由多部机器收集来的统计数据,必须有同步的时间,才能发挥作用。

8.9.2.1. 工作站

工作站经常需要重新开机 (虽然只是节省能源),开机时以 NTP 同步就够了。安装 ntpdate 软件包就可以。需要更换 NTP 服务器时,再修改 /etc/default/ntpdate 文件即可。

8.9.2.2. 服务器

服务器很少重启,系统时间必须绝对精准。为了永久维持时间的正确性,必须安装由 ntp 软件包提供的 NPT 服务器。缺省的配置方式系与 pool.ntp.org 同步,且回应本地网络的请求。可以编辑 /etc/ntp.conf 文件改变原来的配置,NTP 服务器依照该文件的内容而变更。若有多个服务器,最好有一个本地时间服务器与公共的服务器同步,并做为本地网络其他服务器的同步的依据。

8.9.3. 轮转日志文件

日志文件的增长速度很快,需要存档。最常的做法是循环存档:只保留最新的 X 部分。logrotate 是负责循环的程序,根据 /etc/logrotate.conf 文件内的配置,把日志文件保存在 /etc/logrotate.d/ 文件夹内。管理者可以修改该文件,修改 Debian 缺省的循环政策。logrotate(1) 手册页面描述该配置可用的选项。可以在循环的过程中,增加存档的文件数,或把文件移至指定的文件夹而不是删除它们。也可以电子邮件方式邮寄到别的地方。
logrotate 程序每日运行 cron 调度的要求 (详情见 第 9.7 节 “使用 cronatd运行计划任务”)。

8.9.4. 共享管理员权限

数个管理者共同在同个服务器工作。共用同一个root用户密码不是好主意,匿名引发的误用很麻烦。解决方案是使用 sudo 程序,允许用户对特定命令拥有专门的权力。在多数情况下,sudo 允许受信任的用户以root的权限运行命令。用户只需运行 sudo command 并以个人的密码通过认证。
When installed, the sudo package gives full root rights to members of the sudo Unix group. To delegate other rights, the administrator can use the visudo command, which allows them to modify the /etc/sudoers configuration file (here again, this will invoke the vi editor, or any other editor indicated in the EDITOR environment variable). Alternatively they might put rules in small files in /etc/sudoers.d/ as long as this directory is included by /etc/sudoers via @includedir /etc/sudoers.d, which is the default for Debian. Adding a line with username ALL=(ALL) ALL allows the user in question to execute any command as root.
More sophisticated configurations allow authorization of only specific commands to specific users. All the details of the various possibilities are given in the sudoers(5) manual page.

8.9.5. 挂载点清单

The /etc/fstab file gives a list of all possible mounts that happen either automatically on boot or manually for removable storage devices. Each mount point is described by a line with several space-separated fields:
  • file system: this indicates where the filesystem to be mounted can be found, it can be a local device (hard drive partition, CD-ROM) or a remote filesystem (such as NFS or even SSHFS).
    This field is frequently replaced with the unique ID of the filesystem (which you can determine with blkid device) prefixed with UUID=. This guards against a change in the name of the device in the event of addition or removal of disks, or if disks are detected in a different order. 第 8.8.1 节 “辨识磁盘” covers this topic in more detail.
  • mount point:这是把设备、远程系统或分区挂载到本地文件系统的位置。
  • type:这个字段定义挂载设备使用的文件系统。ext4ext3vfatntfsbtrfsxfs 等。
    A complete list of known filesystems is available in the mount(8) manual page. The swap special value is for swap partitions; the auto special value tells the mount program to automatically detect the filesystem (which is especially useful for disk readers and USB keys, since each one might have a different filesystem);
  • options:依文件系统的不同,而有多种选项,详情见 mount 手册页面。最常用的是
    • rwro,表示该设备挂载后可以读/写,或只有读取的权限。
    • noauto 开机时关闭自动挂载。
    • nofail 允许在启动时处理设备,即使该设备不存在。确认启动时,该外置磁盘机可能未插入,因为 systemd 将确认所有挂载点在启动完成前必须自动挂载。可将此与 x-systemd.device-timeout=5s 并用,告诉 systemd 不必等 5 秒以上的时间,直接进入下个作业阶段 (见 systemd.mount(5))。
    • user 授权所有的用户均可挂载此文件系统 (若无此选项,则只有根用户才有此权限)。
    • defaults 表示缺省的选项群组为:rwsuiddevexecautonouserasync,使用了 defaults 之后,还可以用 nosuid 命令、nodev 及其他类似的命令,中止 suiddev 等作用。加入 user 选项可再启用它,因为 defaults 包括 nouser
  • dump: this field is almost always set to 0 and kind of a relic. When it is greater then zero, it tells the dump tool that the partition contains data that is to be backed up frequently. The tool supports Ext2/3/4 filesystems only and will use the value here when run via dump -W or dump -w to determine which partitions need to be backed up. Consider the examples in /usr/share/doc/dump/examples/ if you want to use this feature. But there are better alternatives to backup a filesystem, like fsarchiver.
  • pass:最后一个字段告知系统在启动时,或其他时机,检查文件系统的完整性。若设为 0,则不检查。根文件系统的值为 1,其他固定文件系统的值为 2

例 8.5. 范例 /etc/fstab 文件

# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# systemd generates mount units based on this file, see systemd.mount(5).
# Please run 'systemctl daemon-reload' after making changes here.
#
# <file system>                           <mount point>   <type>      <options>         <dump>  <pass>
# / was on /dev/sda1 during installation
UUID=7a250fb8-c16d-4a4e-9808-ec08ae92b6c6 /               ext4        errors=remount-ro 0       1
# swap was on /dev/sda5 during installation
UUID=13f367ae-dbaf-40ed-85c0-4072a2ebe426 none            swap        sw                0       0
/dev/sr0                                  /media/cdrom0   udf,iso9660 user,noauto       0       0
/dev/fd0                                  /media/floppy   auto        rw,user,noauto    0       0
arrakis:/shared                           /shared         nfs         defaults          0       0
The last entry in the example corresponds to a network filesystem (NFS): the /shared/ directory on the arrakis server is mounted at /shared/ on the local machine.
The format of the /etc/fstab file is documented in the fstab(5) manual page.

8.9.6. locateupdatedb

The locate command can find the location of a file when you only know part of the name. It sends a result almost instantaneously, since it consults a database that stores the location of all the files on the system; this database is updated daily by the updatedb command. There are multiple implementations of the locate command and Debian picked mlocate for its standard system. If you want to consider an alternative, you can try plocate which provides the same command line options and can be considered a drop-in replacement.
locate is smart enough to only return files which are accessible to the user running the command even though it uses a database that knows about all files on the system (since its updatedb implementation runs with root rights). For extra safety, the administrator can use PRUNEDPATHS in /etc/updatedb.conf to exclude some directories from being indexed.